--

The Art of Deception: Stories of How We All Get Phished

Are you like most people who associate cyber, cyber security, data breaches and other similar terms with computers and technology? When you hear about a data breach in the news, do you immediately wonder which technical vulnerability was exploited? This is probably the reason why so many companies believe that a breach won’t happen to their company. They believe hackers only exploit technical vulnerabilities and somehow their tools and techniques for securing data are better than everyone else’s. Regardless of the reason, most are ignoring the one weak link in the chain that is more easily exploited than most technical vulnerabilities but much more difficult to mitigate — the end-user. The employee with access to the network is by far a much greater threat than just about any technical vulnerability. One click and your network is compromised.

Many moons ago, hacking was accomplished via social engineering. The person seeking to gain access to a company or gain information about a company merely showed up at the front desk posing as some sort of repair or delivery man and, in most cases, was given unfettered access. Or, he/she would simply call with a well-scripted story that would convince most to turn over the keys to the kingdom. As technology evolved, so did the social engineering. If a password to the network was the goal, the hacker would simply call an employee claiming to be from the IT department and describe some very technical issue and tell the employee that his/her password was needed to correct the issue. Most unwittingly complied by providing their password.

Well, the age old art of deception is alive and well. The current most popular tool for social engineering is the phishing attack wherein hackers use email messages in an attempt to trick us into providing sensitive information, click on links, or download malware. Wikipedia explains the technique as, “Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication.” There are two primary types of phishing attacks, spear phishing and whaling. Spear phishing attacks are targeted at a specific individual, group of individuals or organization. Whaling is considered a phishing attack targeting a high-profile individual, CEO, or very important organization such as a specific high-profile government organization.

Let’s look at some recent high profile examples. The HVAC company, which hackers breached in order to get into the Target network and compromise their point of sale (PoS) machines in November 2013, was breached via a phishing email (Krebs). Many of the newsworthy cyber heists, wherein company bank accounts were siphoned, began with a phishing email. In many of the cases an executive was sent the phishing email with an attachment such as a UPS or FEDEX label laced with malware. Once the employee clicked on the label the malware would download in the background, unbeknownst to the employee, IT and the network intrusion software and anti-virus software. In many cases, the malware gets through because either the malware is a zero day attack never before seen or the company has yet to update their signatures to recognize the virus.

We have all seen phishing emails. Up until now, most have been pretty easy to spot. They usually include misspelled words, broken English or make some ludicrous request such as to send money in return for millions. Recently though, the attacks have become more sophisticated. For instance, hackers labeled the Pawn Storm attackers have used spear phishing emails to target military organizations that use Outlook Web Access (OWA). The emails do not contain malware but instead a link to a fake site that looks like a third-party vendor with which the victim is familiar. In the end, the goal of the hackers is to entice the victim to go to the fake site which is laced with malware and also to deceive the victim into reclogging into his/her OWA account, thus providing his/her credentials. The hackers even use legitimate Secure Sockets Layer (SSL) certificates in some instances.

These are obviously very sophisticated attacks and these victims are specifically targeted. Does the average user need to worry about this? Absolutely. Most phishing, though, is still not as sophisticated but it has gotten much better. Most phishing also is related to spam and not an effort to breach computers and networks. Spammers are constantly seeking to collect legitimate email addresses and will send out fake emails in hopes you will click a link or unsubscribe, thus legitimizing your email address. Once legitimized, you go on the spam list. I can admit that lately I have been receiving phishing attacks from compromised servers in Australia. I would call these pseudo spear phishing attacks since the senders know that I am an attorney and ask if I handle contract breach cases. Their mistake is in not providing any information such as a name, address block or any contact information. Once I respond, I have legitimized my email address. What their true intention is I may never know. But hey, there usually aren’t any misspelled words.

So, what can you do? Training, training, training. Employees must understand the threats, the typical motives of the hackers, how they operate, and who is vulnerable. Ignoring this vulnerability is negligent. Don’t assume that everyone these days knows about security simply because he/she has grown up with security. Most don’t.

At this point you may be thinking, “Well, our company does annual cyber awareness training online.” How effective is that? Are you like most that blast through the training to get to the test and get it over with? You can follow that example. Most companies do. I recommend live training that will capture the attention of employees, get in their faces, get them thinking, understand how a breach will impact the company, their jobs, and can even carry over to their personal lives. Regardless of what you do, recognize the vulnerability known as the end-user and mitigate that risk.